Validate only the first cert entry in kubeadm

kubernetes · Feb 3, 2024 · 2ba540a · 2ba540a
1 parent 77566f2
commit 2ba540a
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
@@ -264,8 +264,26 @@ func validateKubeConfig(outDir, filename string, config *clientcmdapi.Config) er
 	}
 	caExpected := bytes.TrimSpace(config.Clusters[expectedCluster].CertificateAuthorityData)
 
-	// If the current CA cert on disk doesn't match the expected CA cert, error out because we have a file, but it's stale
-	if !bytes.Equal(caCurrent, caExpected) {
+	// Parse the current certificate authority data
+	currentCaCerts, err := certutil.ParseCertsPEM(caCurrent)
+	if err != nil {
+		return errors.Errorf("the kubeconfig file %q contains an invalid ca cert", kubeConfigFilePath)
+	}
+	// only fetch the first certificate in the cacert
+	currentCaCert := currentCaCerts[0]
+
+	// Parse the expected certificate authority data
+	expectedCaCerts, err := certutil.ParseCertsPEM(caExpected)
+	if err != nil {
+		return errors.Errorf("the expected base64 encoded ca cert %q could not be parsed as a pem", caExpected)
+	}
+
+	// only fetch the first certificate in the cacert. When this is read from file, only the first entry is considered
+	expectedCaCert := expectedCaCerts[0]
+
+	// Compare the current CA cert to the expected CA cert (which is only 1 entry).
+	// If the contents of this certificate do not match then the file is stale.
+	if !bytes.Equal(currentCaCert.Raw, expectedCaCert.Raw) {
 		return errors.Errorf("a kubeconfig file %q exists already but has got the wrong CA cert", kubeConfigFilePath)
 	}
 	// If the current API Server location on disk doesn't match the expected API server, show a warning